How does this virus link work?

Factual Questions
1

I just received 2 obviously suspicious emails from the same source, one an hour after the other, with similar subject lines, but each had a different order number. They claimed to be about a UPS package that I ordered, each with a different order number (I haven’t ordered anything online recently)

The “From” sender of the email was obviously fake–it said:
UP-S at nonmap dot com. The dash in UPS is obvious, and nonmap dot com makes no sense, either.

The emails contained an image of a badly-done UPS logo, and a single ungrammatical sentence “your package is out for delivery-Click Here”

I didn’t click, of course, but I did do a mouseover to see the link in the words “click here”–and that’s what I am asking about. I have questions about three parts of the link’s address:

The mouseover link was very long, and I will first describe the three parts of it:
The first part was:
https://Gtx.Twilightparadox dot com/

After the slash was the second part—a list of about 15 numbers with decimal points between them–some numbers were 5digits, some 4 digits, some 3 digits, some 1 digit.

Then, after all those numbers, was a third part–a single string of letters and numbers, about 200 characters long

So my questions are: where would that link have gone if I had clicked on it?

Regarding the first part of the link: (https://Gtx.Twilightparadox )

  1. why does the link start httpS, not http ? Is that significant?
  2. what does the prefix GTX mean?
  3. Twilightparadox is a apparently a server for games like Minecraft. but googling “GTX.twilightparadox” doesn’t help.
    apparently gtx is a format for a filetype called “texture” files

Regarding the second part of the link:
4.What do the numbers after the slash dot-com mean?
here are the numbers
4.3744.274.237.16758.1141.4.4156.15264.22726.65286.79332.6900.16848.58683
the specific numbers are probably not important,I’m just wondering about the format–1 digit, 4digits,then 3,3,5,4,1,4, etc. What are these? ( addresses, and if so, of what? ,or maybe something to do with Windows?)

Regarding the third part of the link:
It was a long string of about 200 characters, consisting of letters (both capital and lower-case) and digits, with one equal-sign (=) in the middle. but no slashes or hashtags or special chatacters such as & or parenthesis.
What does this string do? I’m guessing that is it the file name of a virus that would attack my computer–but why is it so long?

2

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP that encrypts communication between your browser and a website.

3

yes, but I always thought that somehow the S meant it was more secure. They always told me to look for the S before replying, for example, to my bank.. But if an obvious spammer and dangerous virus is using https, what benefit is there to me as an innocent user to rely on the S?

4

Since I was curious,

Our Website is Coming Soon!

with some links,

Live News
Learn more about our email marketing agency
Unsubscribe from our newsletter
Privacy Policy

5

I can’t tell you exactly what they mean, but this is almost certainly just tracking information.

Your (probably) stolen ID/email is matched with a database, and those extraneous digits are there to track your response.

If you do respond, there is a plethora of information that can be deduced, from your region, your browsing history (not entire), many habits.

If I post a URL on this or other sites, I am careful to remove everything after the question mark (?) as that information is very often - not always - used to track users.

I have worked in online casinos. Probably the worst at aggressively tracking visitors.

Edit to add: it does not need to be just a querystring, the text that follows a ?. Any weirdly long URL is almost certainly tracking you.

6

There was no question mark among the 200 characters of the mouseover.

But it’s interesting to learn that maybe it wasn’t a scary,malicious virus to attack me, , just a less-scary malicious attempt at tracking me. :slight_smile:

7

A question mark is just the most common format.

I have a domain, I can grap info from you via

http: // domain/some-long-text

Just as easily as

http: // domain?x=some-long-text

Or even

http: // domain?some-long-text (though this is not common)

8

Yes, but the security is of the “difficult for third parties to intercept this communication” type, not the “everything you do here is safe” type. In other words, it is securing the pipe the data is going through, not the meaning of the data.

9

What @Digital_is_the_new_Analog said. The “s” in https protects you from malicious third parties. It doesn’t help if the owner of the site you are clicking to is malicious. Anyone can set up a secure site for a few bucks.

10

A url is basically of the form “protocol://internet address/message”. The protocol and internet address part have to adhere to an internet standard, but the message part can be just about anything. For instance, “https://boards.straightdope.com/abunchofrandomcharactersandnumbers”. The message part is intended to be processed by the website that’s running at that internet address. It’s up to that website as to what it does with the message. There are some standard web servers that most sites use, so it’s not unusual to see lots of URLs with the same kind of formatting in the message. But the formatting of the message doesn’t have any kind of strict internet requirement it needs to comply with. The spammers likely have their own custom web server to handle the incoming request, so they can have the message look however they like. A spammer may make the message part look like a more standard message, but that may be just to fool people who do the mouseover. If the message part of the URL looks more like a standard URL from the bank, the user may be more likely to click on it.

Unless you’re a security expert, you probably shouldn’t access the website even just to check it out. The spammer’s web server may try to exploit vulnerabilities in your browser to download a virus onto your system.

11

Nothing. Totally arbitrary.

The .com part (or .net, .org, etc) is a “top level domain” (TLD) that belongs to, let’s say The Internet, just to keep it simple.

The domain name, the part preceding the TLD, twilightparadox, is a domain that someone purchased. That establishes a record with The Internet that is literally a text record (a DNS record) that tells your browser where to go on The Internet to find the content at twilightparadox-com. It makes it easier for everyone instead of having to use the actual address of the domain, which is a number like 123.456.78.90. The text record links the domain name with the number and the number represents a server (for simplicity’s sake).

That DNS record has some sub-records in it. Like the address of the server where you might find mail, or other sub-records such as sub-domains. That’s what the GTX is in this instance - a sub-record. One can point the sub-domain to a different server if they want, or a different application (different than the main application at twilightparadox) on the same server or whatever. You can create sub-sub records for the domain if you want. All of it is just an organizational tool to use words instead of numbers to get your browser to connect to specific places on The Internet.

From a user perspective, gtx-dot-twilightparadox-dot-com could mean the same as twilightparadox-dot-com-slash/gtx. It doesn’t really matter.

A URL is like a record in the Yellow Pages. The .com is the city, the domain name is the house, and anything before the domain name is telling you what room in the house to find a person. The person may or may not be in the same house, but it’s up to the house to tell you where to find them. The https tells you what means you can travel to get there.

12

The actual site you are directed to - the first part of the URL is quite possibly simply compromised and is unwittingly hosting the bad content. HTTPS means your connection to the server has some level of security, not that what you have reached is in any way good.

Once you reach the actual http server, the rest of the URL is essentially free text that the server can use in whatever way it wants. Things like question marks and other formatting are just conventions used by common server engines. Some formatting allows encoding of data into text that won’t get mangled as it transits the connection. (Base64 for instance.)

As noted above, it is common to encode information in URLs in emails that allow the site to determine exactly whose email the request came from. So minimally they know that it was you that clicked on the link. Marketing campaigns use such things to track effectiveness and record which people on mailing lists are clicking. Malware emailers similarly know a live human was there, which if nothing else increases the value of your email address.

Just allowing preview or downloading of images in your mailer does this. Which is a reason to disable such things.

13

Just to emphasize what ZipperJJ said, the important thing to remember is that a URL is almost entirely arbitrary. It doesn’t have to mean anything at all, and it is often misleading on purpose.

The last part of a domain (.com, .org, there are hundreds mores suffixes now) you choose from a list of allowed ones. The middle part before that (eg straightdope) can be almost anything that isn’t already taken, depending on the suffix’s particular rules. If straightdope.forum is available, anybody can buy it.

Anything before the domain and after the suffix is entirely arbitrary. It can be anything the website owner wants it to be, and they don’t necessarily have any meaning. You can have zero or one or more subdomains. You can have query strings or not. You can have folders/paths or not. You can encode the URL or not.

In other words, really only the domain and suffix itself (straightdope.com) are subject to any purchasing rules (and only barely). Everything else is entirely made up.

As for https, it’s common now because Google unilaterally decided to make it so a few years back, changing Chrome to warn you when you access a non https site and downranking them on Google Search too. For a lot of websites, https doesn’t do any good, but because of that change, everyone, even scammers, switched over. These days https is free because there is a “certificate authority” called LetsEncrypt that anyone can use for free, including scammers. It takes maybe 30 seconds to set up a new https site. Maybe five minutes to add a new spam domain.

Never trust a URL unless you trust the domain name.

14

HTTPS means the person who has registered (bought) the domain name and set up the server has purchased a certificate from an authority that supposedly verifies who they are. If it is a Minecraft game server, then my theory is it’s legit and lets users/members put Minecraft stuff on it.

My theory is that it is a share site for members to share things they built for minecraft, and someone has figured out how to put something nasty on the server above and beyond their minecraft stuff. The “GTX” makes me think it is a server for resources (textures, etc.). If it’s set up and run by some hobbyists, probably does not have very good security.

Or… someone could have compromised the whole server. if it still works for its legit purpose too, the real owners may not even have noticed.

The only thing important to the rest of the internet is the domainname-dot-com. (or org, or whatever). DNS uses that and tells your computer the IP address to send to. When the domain address receives the request packet, the extra bit (gtx-dot) tells the domain what to do with it. Often, it is used because a domain can have multiple servers - you used to see mail-dot-foo-dot-com and webserver-dot-foo-dot-com and archive-dot-foo-dot-com etc. The domain might have one IP address, and multiple servers behind their gateway/firewall and that sub-domainname tells the firewall which server to send it to. (or, which port number/program on the server to send it to).

I agree, when the server receives your long string of numbers and letters, that’s probably something that was generated by a program. The server will match your request string to whatever email address it used to send out that particular string. If it then asks for more details - name, address, phone, create an account and enter a password - this is why it’s a bad idea to use the same password on mutliple different servers and accounts… Now they have the person’s personal details and typical password (and typical username, if it asked to create an account name - are you “Bob12345” on every site?). So many sites nowadays use your email as the userid for logon. Now they can try (or the server can try for them) logging into Google, Paypal, Amazon, etc. with your email and common password.

If they send out a million emails and get a dozen hits - well, that was cheap.

15

In the modern internet, a non-TLS protocol like “http” without the “s” is often automatically not trusted by browsers. Google, for instance, has set up Chrome to automatically try to find the “https” version of any “http” URL.

So it makes sense a bad actor will make sure their hosting supports HTTPS. They want the links to work without interference.

16

You don’t even need to purchase certs anymore. Services like Let’s Encrypt will issue certs to anyone for free in under 60 seconds. You just need to have a site publically viewable or control over the DNS records.

17

Every top-level domain has some entity that has authority over it, and that authority can decide based on whatever criteria they want who’s allowed to get a site under that domain. It’s just that, for the vast majority of them, the criterion the authority has decided on is “anyone who sends us twenty bucks”.

But you’re very unlikely to be able to get, say, a .va address that way, because the authority for that one is the Vatican, and I don’t think they’re in the selling-addresses business.

18

On the other hand, the tiny nation of Tuvalu was lucky enough to be assigned the Top Level Domain .tv and a significant part of the country’s revenue comes from leasing domain names ending in .tv to entities involved in television-related activities.

19

The theory of certs as I remember from a decade ago, was that all certificates include a link to a base authority, and so are verified by a chain back to a few base certificates (I.e. ths site is verified because the certificate is verified by that certificate authority). The browsers trust only certificates that lead back to these authorities, which were loaded when you installed Windows or whatever and only updated through Microsoft and other authorities. If you wanted your own little silo of certification, you could add your own certificate(s) to the list of “trusted authorities” for your organization. However, in general only certain authorities could issue valid certificates that the whole world would trust, and those groups had some level of verification, usually requiring identification (for what that’s worth in today’s world).

I’m not sure how that has changed now.

20

Yes, that is how it works. A few certificate authorities are ultimately trusted by Microsoft, Google, Apple, and Mozilla. Those certificate authorities (and sub-authorities) can issue certificates to domains.

All the certificate authorities verify is that the certificate requester controls the domain they want a cert for. They don’t check if the requester has a criminal history, intends to use it for nefarious purposes, etc. I can request a certificate for fakebitcoinwallet.com who’s mission statement is to steal your bitcoins, and as long as I can prove I own it, I’ll get a certificate.

The proof of ownership is often automated, such as modifying the DNS for the domain, or putting a special file on the website.

If a certificate authority grants certificates for domains not owned by the requester, then the CA will be dropped as a trusted authority. That can be a business ending mistake, and if it is deliberate will definitely cause them to be dropped.

Bottom line, a valid certificate is a good indication that a website is who they claim to be, but says nothing about what the motivations are of the website. So g00gle.com having a valid certificate does not mean it is really google.com.